git-annex/doc/todo/append-only_mode.mdwn

The [[git-annex-shell]] wrapper allows the configuration of a readonly
repository (through the `GIT_ANNEX_READONLY` environment and friends)
but that is useful only when we want users to access the data and not
add to it.

It would be nice to have a *write-only* or "append-only" mode. My use
case is a backup server that would receive git-annex objects and
changes, but would forbid the client from deleting content on the
server. This is to protect contents from being destroyed (or encrypted
as is a common pattern with ransomware) by a compromised client.

There has been some discussions and work done to protect *branches* in
such a way, in
[[todo/git-hook_to_sanity-check_git-annex_branch_pushes]], and that
could help, but even with git hooks, a malicious client could still
drop content.

It seems to me this would require modifications to the
`git-annex-shell` wrapper to forbid certain operations like `dropkey`,
`lockcontent`, or `p2pstdio` although I'm unfamiliar with the last two
so I am not certain they could be harmful. Maybe `p2pstdio` itself
could be somewhat fixed to allow only append commands.

Is it fair to assume that `recvkey` is safe in this context, ie. that
it wouldn't overwrite an existing bit of content without first doing a
checksum?

Thanks! -- [[anarcat]]

> Good idea.. Implemented. 
> 
> I'm not entirely happy with the name, but could not think of
> a better one.
> 
> Yes, `recvkey` will never overwrite content already in the annex,
> and unless you turn off annex.verify, hashes will also be checked
> before letting anything into the annex.
> 
> Of course, if non-hashed keys are used, and an object has not
> reached the repository yet from a trusted source, an attacker
> could slip in something malicious without being noticed.
> Setting annex.securehashesonly would be a good idea to prevent this.
> 
> p2pstdio implements the same security policies as the rest of
> git-annex-shell.
> 
> --[[Joey]]

> Update: I didn't close this before, but it seems [[done]] --[[Joey]]
another untrusted client idea 2018-05-17 18:14:17 +00:00			`The [[git-annex-shell]] wrapper allows the configuration of a readonly`
			repository (through the `GIT_ANNEX_READONLY` environment and friends)
			`but that is useful only when we want users to access the data and not`
			`add to it.`

			`It would be nice to have a write-only or "append-only" mode. My use`
			`case is a backup server that would receive git-annex objects and`
			`changes, but would forbid the client from deleting content on the`
			`server. This is to protect contents from being destroyed (or encrypted`
			`as is a common pattern with ransomware) by a compromised client.`

			`There has been some discussions and work done to protect branches in`
			`such a way, in`
			`[[todo/git-hook_to_sanity-check_git-annex_branch_pushes]], and that`
			`could help, but even with git hooks, a malicious client could still`
			`drop content.`

			`It seems to me this would require modifications to the`
			`git-annex-shell` wrapper to forbid certain operations like `dropkey`,
			`lockcontent`, or `p2pstdio` although I'm unfamiliar with the last two
			so I am not certain they could be harmful. Maybe `p2pstdio` itself
			`could be somewhat fixed to allow only append commands.`

			Is it fair to assume that `recvkey` is safe in this context, ie. that
			`it wouldn't overwrite an existing bit of content without first doing a`
			`checksum?`

			`Thanks! -- [[anarcat]]`
GIT_ANNEX_SHELL_APPENDONLY Makes it allow writes, but not deletion of annexed content. Note that securing pushes to the git repository is left up to the user. This commit was sponsored by Jack Hill on Patreon. 2018-05-25 17:17:56 +00:00
			`> Good idea.. Implemented.`
			`>`
			`> I'm not entirely happy with the name, but could not think of`
			`> a better one.`
			`>`
			> Yes, `recvkey` will never overwrite content already in the annex,
			`> and unless you turn off annex.verify, hashes will also be checked`
			`> before letting anything into the annex.`
			`>`
			`> Of course, if non-hashed keys are used, and an object has not`
			`> reached the repository yet from a trusted source, an attacker`
			`> could slip in something malicious without being noticed.`
			`> Setting annex.securehashesonly would be a good idea to prevent this.`
			`>`
			`> p2pstdio implements the same security policies as the rest of`
			`> git-annex-shell.`
			`>`
			`> --[[Joey]]`
close, these seem done already 2018-09-06 17:11:35 +00:00
			`> Update: I didn't close this before, but it seems [[done]] --[[Joey]]`